The GUI of the CoinVault window, complete with the cybercriminal’s bitcoin address. (Source: CryptoCoins News)

For more than a year, the CoinVault malware campaign proceeded largely undeterred. However, a major blow was dealt to the ransomware in September of this year when the National High Tech Crime Unit (NHTCU) arrested two individuals, aged 18 and 22, on suspicion of involvement in the ransomware attacks.

During the investigation that followed those arrests, the NHTCU in cooperation with the Netherlands’ National Prosecutor’s Office obtained several databases from CoinVault’s command-and-control (C&C) servers that contained, among other things, Installation Vectors (IVs), private Bitcoin wallets, and decryption keys.

Researchers with Kaspersky used these resources to study CoinVault further, an analysis which revealed, among other things, that the ransomware uses the CFB block cipher mode as well as 256-bit AES.

These findings enabled the security firm to publish more than 700 decryption keys in April of this year. Now Kaspersky has released all 14,000 keys.

“The National High Tech Crime Unit (NHTCU) of the Netherlands’ police, the Netherlands’ National Prosecutors Office and Kaspersky Lab, have been working together to fight the CoinVault and Bitcryptor ransomware campaigns,” a page which hosts Kaspersky’s decryption tool reads. “During our joint investigation we have obtained data that can help you to decrypt the files being held hostage on your PC. We are now able to share a new decryption application that will automatically decrypt all files for Coinvault and Bitcryptor victims. For more information please see this how-to guide. We are considering this case as closed. The ransomware authors are arrested and all existing keys have been added to our database.”

Users who believe they have been affected by CoinVault can access the decryption key directly here.